In our mid-2020 vulnerability update, we will leverage the expert insight of Avira’s Vulnerability Detection Team – part of Avira’s Protection Labs – to look at some of the most critical vulnerabilities that could be exploited.
Top 5 vulnerabilities
Our top 5 vulnerability threats for mid-2020 make this list based on our assessment of their criticality, coverage, and impact.
This summer, we’ve seen multiple critical high-risk vulnerabilities disclosed – and patched – across a wide range of software platforms. The most important of these vulnerabilities is ‘Zerologon” that impacts domain controllers. This is closely followed by SIGRed, a series of bugs in Microsoft’s DNS mechanism.
Microsoft Netlogon vulnerability “Zerologon”
Microsoft’s August Patch disclosed a bug that received a maximum CVSS score of 10 out of 10. It was assigned CVE-2020-1472 and is more commonly known as Zerologon.
Successful exploitation of Zerologon could allow an unauthenticated remote attacker to take control over the domain controller and leverage admin privileges.
At the core of this vulnerability lies a weak encryption standard and the authentication process used by the Netlogon protocol. Incorrect use of the AES encryption mode enables any account’s identity to be spoofed. This creates the opportunity to replace the password with [empty] or zeroes. Consequently, the vulnerability has been dubbed “Zerologon.”
Proof of concepts have started surfacing in public repositories. Microsoft announced a secondary fix for the vulnerability in a future release.
Active attacks leveraging the Zerologon vulnerability were spotted in the wild in September.
In a similar case, public exploits for SMBGHOST were released in the summer. This led to a considerable increase in the number of external attacks on exposed SMB services.
Microsoft DNS vulnerability CVE-2020-1350 aka SIGRed
Following a series of DNS bugs reported – and patched – by Microsoft this summer, CVE-2020-1350, dubbed SIGRed, presents another vulnerability with a CVSS base score of 10/10. SIGRed affects Windows Server versions 2013 to 2019 and the wormable potential of an exploit makes the severity ‘critical.’
This vulnerability makes arbitrary remote code execution possible. By sending a larger payload than the server can handle, an integer overflow leads to heap-based buffer overflow. According to CheckPoint, to trigger the vulnerability the malicious DNS server and the victim’s Windows servers need to communicate using SIG or RRSIG records. Both have the same structure.
Microsoft uses the same SigWireRead function to parse both record types, which was an inspiration for the SIGRed alias of the vulnerability. Public exploits have not yet surfaced on available resources, although recent blog posts describing a full exploitation scenario have been published.
F5 BIG-IP Remote Code Execution
A critical remote code execution vulnerability in F5’s BIG-IP product was disclosed and assigned CVE-2020-5902. This vulnerability affects the configuration utility tool available through the BIG-IP management port. Exploitation requires network connectivity to the F5 BIG IP port. It allows unauthenticated attackers to execute arbitrary system commands, create or delete files, disable services, and trigger arbitrary Java code to compromise the system.
Shortly after the security advisories were published, active exploits were recorded when opportunistic mass scanning for vulnerable devices.
Mozilla Firefox Use After Free
Mozilla Firefox browser patched CVE-2020-12405 at the beginning of June. The disclosure revealed a race condition affecting the SharedWorker component which could result in a Use After Free vulnerability. Successful exploitation can lead to remote code execution. There are currently no reports of abuse of this vulnerability.
Bluetooth “BLURtooth” attack
The Bluetooth SIG organization disclosed CVE-2020-15802 in September. The disclosure included guidance on how device vendors can mitigate a new attack on Bluetooth capable devices. The vulnerability named BLURtooth (or the BLUR attack) exploits the lack of cross-transport key validation that allows an attacker to bypass Bluetooth Classic and Bluetooth Low Energy (BLE) security mechanisms.
Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) configurations are used for low-power short-range communications. To establish an encrypted connection, two Bluetooth devices must pair with a link key. It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. An attacker could then gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).
This vulnerability potentially exposes billions of devices that use the affected versions. Currently, there are no patches released to mitigate this attack.
Vulnerabilities and exploits are a continuous threat. At Avira’s Vulnerability Detection lab, we continuously monitor exploitation activities and analyze the latest vulnerabilities in order to provide our customers with the best protection and detection capabilities.